---
title: "Self-hosting"
---

Drift checks are triggered by a separate service, with its own Dockerfile

## Requirements

- Build/run the drift service (see `Dockerfile_drift`).
- Backend database accessible to the service.
- Webhook secret configured and used to protect internal endpoints.

## Key environment variables

- `DIGGER_HOSTNAME`: Base URL of your backend, used to call internal endpoints.
- `DIGGER_WEBHOOK_SECRET`: Shared secret to authenticate internal requests.
- `DIGGER_APP_URL`: Base URL for links in notifications.
- `DIGGER_DRIFT_REPORTER_HOSTNAME`: Hostname for the reporter in CI job specs.

## Scheduling and notifications

- Set the org-level `drift_cron_tab` for when to scan.
- Slack rollups use an org-level webhook URL when configured.
- SQL helper snippets for periodic invocation live in `drift/scripts/cron/`.

## Security

- Expose internal endpoints only behind your network boundary and verify the webhook secret on requests.

